WordPress 4.7.2 Security Release and Vulnerabilities

We know, we know, you’re probably sick of hearing us remind you to keep your WordPress site updated but we only reinforce the point because it’s so important. Whether you or a technical guru in your organisation is in charge of keeping your site updated, now’s the time to update to WordPress 4.7.2 if you haven’t already.

This latest version was released at the end of last month in response to four vulnerabilities that were spotted in WordPress 4.7.1 and reported by members of the WordPress community. A list of the security issues was shared on WordPress.org and they include:

An issue where the user interface for assigning taxonomy terms in Press This was shown to users without the relevant permissions

An issue where WP_Query was vulnerable to a SQL injection when transferring unsafe data. WordPress stressed that the WordPress core was not itself vulnerable to the issue but they added hardening to prevent any plugins or themes accidentally causing an issue

An issue where a cross-site scripting vulnerability was discovered in the post lists table

Finally, there was an unauthenticated privilege escalation vulnerability discovered in the REST API endpoint

WordPress also took the opportunity to thank the community members who spotted and reported the vulnerabilities, and went on to highlight the importance of responsible disclosure. If you spot any bugs, security risks or vulnerabilities in the latest version of WordPress there’s a simple procedure in place so you can create a ticket and bring any issues to the attention of the WordPress core development team.